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In the classical setting, public-key encryption requires randomness in order to be secure against a 
forward search attack, whereby an adversary compares the encryption of a guess of the secret message 
with that of the actual secret message. We show that this is also true in the information-theoretic 
setting — where the public keys are quantum systems — by defining and giving an example of a 
forward search attack for any deterministic quantum-public-key bit-encryption scheme. However, 
unlike in the classical setting, we show that any such deterministic scheme can be used as a black 
box to build a randomized bit-encryption scheme that is no longer susceptible to this attack. 
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Quantum-public-key cryptography, where the public 
keys are quantum-mechanical systems, was introduced 
by Gottesman and Chuang in Ref. which contains 
an information-theoretically secure quantum digital sig- 
nature scheme for signing classical messages. Other ex- 
plorations within this information-theoretic framework 
include a no-go theorem for signing arbitrary quan- 
tum states [H, "lock and key" systems and distribution 
of quantum public keys [|[, identification schemes [J], 
and — our focus in this paper — encryption schemes 



Roughly put, the purpose of an encryption scheme is to 
facilitate the communication of some secret information 
over an insecure channel, from a sender to a receiver, such 
that an adversary, who has access to this channel, cannot 
obtain anything close to a meaningful representation of 
the secret information. This secret information is called 
the plaintext, while the actual signal sent over the chan- 
nel, which somehow encodes the plaintext, is called the 
ciphertext. In the classical setting, public-key encryption 
requires randomness in order to be secure against a for- 
ward search attack, whereby an adversary compares the 
ciphertext encoding a guess of the plaintext or — test- 
plaintext — with the ciphertext she is trying to decrypt 
(see Ref. 

for more details in the classical setting). We 
show that this is also true in our information-theoretic 
setting (defined in Section [TTJ) , by defining and giving an 
example of a forward search attack for any determinis- 
tic bit-encryption scheme that uses quantum public keys. 
However, unlike in the classical setting, we show that any 
such deterministic scheme can be used black box 
to build a randomized bit-encryption scheme that is no 
longer susceptible to this attack. 



The potential for information-theoretic security in the 
quantum-public-key setting arises from the existence 
of a quantum function, mapping classical private keys 
(binary strings) to corresponding quantum public keys 
(quantum- mechanical systems), that is impossible to in- 
vert. More precisely, we have the following general setup. 
All users of the cryptosystem agree on a classical descrip- 
tion of a set 



A(n) = { |* x > : x e {0, 1}"} 



(1) 



of log 2 (d)-qubit pure states (in general, d = d(n)) such 
that, for any distinct x and x' in {0, 1}™, 



(*x'l**>l < <S 



(2) 



for some positive constant 8 < 1. Any user can now 
choose a uniformly random private key k £ {0, 1}™ 
and then generate and distribute (at most) T quantum- 
mechanical systems in or — copies of — the state \^k)] 
each copy of \^k) constitutes one (quantum) public key. 
We assume that each public key reaches its intended re- 
cipient in an authenticated fashion. The bijective map 



(T copies of |* x )) 



(3) 



is a one-way (quantum) function in the sense that, for a 
given x S {0, 1}", the deterministic preparation of a sys- 
tem in the state \^ x ) is possible via the classical descrip- 
tion of A(n), while the inversion of the map (with non- 
negligible probability) is guaranteed impossible by the 
Holevo bound when 



n»Tlog 2 (d). 



(4) 



This inequality thus sets an upper bound on the number 
T of public keys that can be publicly distributed, in order 
to ensure the secrecy of the private key, which is the mini- 
mal requirement for security of any cryptographic scheme 
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in this framework. Note that the notion of computational 
efficiency may be ignored in an information-theoretic set- 
ting; however, there do exist constructions of A(ri) such 
that n is large enough that the set is cryptographically 
useful and such that, for all x £ {0, 1}", a copy of \^ x ) 
can be computed in (quantum-) polynomial time from 
input x [EDj]. 

Within the above framework, a deterministic 
quantum-public-key bit-encryption scheme may be 
defined by further specifying (and publishing, along 
with the description of A(n)) two unitary encryption 
operators, Uq and U\, and a decryption procedure 
whose exact form does not concern us. If Bob wants to 
communicate the plaintext b £ {0, 1} to Alice, he obtains 
an authenticated copy of Alice's public key, which is, 
by definition, in the state \^k), creates the (quantum) 
ciphertext in the state \&k,b) = Ub\^k), and sends it 
to Alice, who then decrypts and recovers the plaintext. 
Note that Uo and U\ do not depend on the private key 
k, but Alice's decryption procedure does. 

Of course, in general, in our quantum setting, the 
plaintext can also be quantum, i.e., it can be a quantum- 
mechanical system in a particular state. Thus, we are 
focussing on the case where (a classical description of) 
the set of all possible (quantum) plaintexts consists of 
just two orthogonal states, |0) and |1). This is in fact the 
most general case from a security point of view: it may be 
seen as corresponding to the case where the adversary has 
narrowed down the plaintext to one of two maximally- 
distinguishable possibilities (of course, the states of the 
corresponding ciphertexts need not be orthogonal, de- 
pending on the encryption scheme; but, in any reason- 
able scheme, orthogonal plaintext-states would give rise 
to maximally-distinguishable ciphertexts, for a given key- 
value). However, we do not formally define what it means 
for an encryption scheme to be secure, because we do not 
prove security of any scheme; we only ever refer to secu- 
rity against a particular attack, i.e., our forward search 
attack. 

In the following, we may abuse terminology by refer- 
ring to quantum public keys or ciphertexts by their clas- 
sical descriptions, i.e., by their states. 



III. FORWARD SEARCH ATTACK BASED ON 
A SYMMETRY TEST 

Before defining "(quantum) forward search attack" , we 
should remind ourselves of what is the most general at- 
tack for uncovering the plaintext encoded by a particular 
ciphcrtext (as opposed to an attack that tries to compute 
the private key). If an adversary, Eve, wants to decide 
what the plaintext b is, given the ciphertext | and 
all (T— 1) possible copies of the public key \^k), then she 
is ultimately faced with the problem of deciding which of 



the following two states she has: 

po = ^£l*x><*x|® (T - 1) |** 1 o><*x,o| ( 5 ) 

X 
X 

The optimal procedure ("POVM") for solving this "bi- 
nary quantum decision problem" is given in Refs. fT^ITij 
and depends on poj Pi> an d the prior probability distri- 
bution (p, 1 — p) of the plaintext b (i.e. P[b = 0] = p). 
We assume that Eve can implement this optimal proce- 
dure, since we do not place any computational resource- 
bounds on her. The probability of success of this optimal 
procedure, which is affinely related to the trace distance 
between ppo and (1 — p)pi, is in general difficult to cal- 
culate. 

In this paper, we concentrate on a restricted class of 
attacks that attempt to uncover the plaintext encoded 
by a particular ciphertext. 

Definition 1 (Forward search attack). A forward 
search attack on a deterministic quantum-public-kcy bit- 
encryption scheme is any (quantum) algorithm — inde- 
pendent of the encryption and decryption operations and 
the structure of the set of public keys — that outputs the 
plaintext with some probability of error, given one copy 
of the actual ciphertext and all available copies of the 
ciphertext encoding a test-plaintext. 

As an aside, we note that this definition sub- 
sumes the definition of "forward search attack" 
for computationally-secure, classical public-key bit- 
encryption schemes that are implemented quantum- 
mechanically In the following, we give a simple for- 
ward search attack that we suspect is near to the optimal 
forward search attack and whose probability of success 
is easily computed. To simplify our presentation, we as- 
sume that each plaintext is equally likely and thus always 
use the test-plaintext without loss of generality. 

Following Ref . [l2j , we first define a problem that cap- 
tures the essence of Eve's task of determining the plain- 
text via forward search attack (i.e. ignoring all structure 
of the particular cryptosystem) , and then we give a solu- 
tion for it, based on a test for symmetry. 

Definition 2 ((1, JV— l)-copy state distinguishing prob- 
lem). Given one copy of |£) £ C d and (N — 1) copies of 
|x) £ C d such that either |£) = \x) or \{£\x)\ = A < 1, 
decide which case holds. 

To solve this problem with some probability of error, we 
can use the symmetry-test procedure depicted in Fig. [TJ 
which we now explain. Let Sn be the set of all N\ per- 
mutations on N objects and let a £ Sn- The operator T 
is the (7V!)-dimensional quantum Fourier transform [12] ]. 
so that, in particular, 

^I°> = 7=t £ k>. ( 7 ) 
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egy), with 



®(JV-1) 



10 lx> 



FIG. 1: (Color online) Symmetry-test for the (1, N — l)-copy 
state distinguishing problem. The top (blue) wire is a N\- 
dimensional quantum system, whose state-space is spanned 
by the computational basis states, each of which is labeled by 
a permutation a £ Sn (e.g. |0) corresponds to the identity 
permutation). The bottom wire represents N registers, each 
of dimension d. 



and the controllcd-er operator permutes the N target reg- 
isters according to the permutation a encoded by the 
computational-basis-state of the control register. The 
probability of the final measurement in the computa- 
tional basis of the top register resulting in outcome "0" 
is I when |£) = |x). But when (£|x) = A < I, this 
probability is 



(|0)(0|®/)- 
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which we denote q^,\- Thus, we only care whether the 
measurement outcome is "0" or not: in case it is "0", we 
guess that \£) = |x) (but we might be wrong); otherwise, 
we know that (£|x) = A < 1. With this strategy, we can 
only make an error when (£|x) = A < 1, in which case 
the error probability is Qn,x- 

Thus, to perform a, forward search attack by symmetry- 
test. Eve applies the above procedure (and decision strat- 



10 = |*fc,5) 
|X> = |**,0> 



(9) 
(10) 



and the maximum possible N. For a (non-classical) 
quantum-public-key bit-encryption scheme, Eve can use 
N = T, thus obtaining one-sided error qx \ Eft Al- 
though we only suspect that this forward search attack is 
nearly the optimal one, we note that the same symmetry- 
test procedure is nearly optimal for the "(A/ 7 , iV')-copy 
state distinguishing problem" , where one is given N' 
copies each of |£) and |x) (and the procedure permutes 
2N', instead of N, target registers) [1^. In the remain- 
der of this work, we show that our assumption that Eve's 
probability of correctly guessing the plaintext (by for- 
ward search attack) is bounded away from 1 leads to a 
simple randomized encryption scheme that uses the orig- 
inal deterministic scheme as a black box and is resistant 
to our forward search attack. 



IV. RANDOMIZATION AGAINST FORWARD 
SEARCH ATTACK 

Any deterministic public-key bit-encryption scheme, 
quantum or classical, is susceptible to a forward search 
attack. However, if the scheme can be nontrivially ex- 
tended to encrypting multiple-bit plaintexts — by which 
we mean that the multiple-bit scheme is not merely 
the concatenation of instances of the original single-bit 
scheme — one possible way to guard against a forward 
search attack is to use the following parity encoding. If 
the desired plaintext is & € {0, 1}, Bob should first choose 
a uniformly random, binary-string codeword w, whose 
length is s > 1 and whose (Hamming) weight (sum of 
the bits) has parity b, and then encrypt b by using the s- 
bit version of the deterministic scheme to encrypt w, i.e., 
the new ciphertext encoding b is actually the ciphertext 
encoding w. Assuming Alice knows that the intended 
plaintext b is actually the parity of the weight of w, then 
this forms a randomized bit-encryption scheme that, for 
sufficiently large s, may not be susceptible to the forward 
search attack (of course, we do not claim that the use 
of the parity encoding results in a secure bit-encryption 
scheme, in general). The parameter s thus functions as 
a "security parameter" . 

Now consider the case where the original determin- 
istic bit-encryption scheme has no nontrivial extension 
to multiple-bit plaintexts. Can it be used several times 
(under different key-values) as a black box, in order to 
create a randomized scheme that is potentially secure 
against a compound forward search attack, whereby Eve 
does a forward search attack on every instance of the 
original scheme? In the classical setting, the answer is 
clearly "no" : Eve would learn the correct plaintext in ev- 
ery instance of the original scheme, so Alice would have 
no advantage over her. In our quantum setting, how- 
ever, the answer to this question is "yes" , as shown by 
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the following randomized bit-encryption scheme, which 
just combines the above parity encoding with the trivial 
multiple-bit extension of the original scheme. Assume 
that Alice's public key is now <8>f =1 l^^), where each fcj 
is uniformly randomly chosen from {0, 1}". To encrypt 
plaintext b £ {0, 1}, Bob again first chooses a uniformly 
random codeword w, whose length is s > 1 and whose 
weight has parity b. The ciphertext that encodes b is 
now simply <B>f =1 \&ki,wi), where w = w\Wi ■ ■ ■ w s . Alice 
decrypts to get w, and thus the intended plaintext b as 
the parity of the weight of w. 

Consider Eve's compound forward search attack by 
symmetry-test on this new scheme, whereby Eve does 
s separate forward search attacks by symmetry-test as 



described in the previous section, one for each value of i. 
We now assume that distinct ciphertexts (under the same 
key-value) in the original bit-encryption scheme are or- 
thogonal, i.e., A = ($fc 4 ,o|^fci,i) = for all i (this restricts 
to schemes where decryption is perfect). Assuming Eve 
uses \x) = l^fcj.o) f° r a ll h sne can only fail in guess- 
ing uii correctly when Wi = 1. Each codeword w has a 
weight a of well defined parity. Thus, a codeword will be 
decrypted correctly if, for some even 76 {0, 1, . . . , a}, 7 
out of a symmetry-tests give measurement outcome "0" 
and (a — 7) symmetry-tests give a different outcome. On 
average, the probabilities for Eve to decrypt successfully 
each of the bit values are 



J 



P (s) (success|6 = 0) 
P (s) (success|6 = 1) 



2 s - 



a=0 7=0 
even even 



^ s a 
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s \ 1 a 



2" <— ' <— ' \aj \7 

odd even 



(11) 

(12) 



where q = qr.o- Since we assume both plaintexts are 
equally probable, we have 

P^ (success) 

P (s) (success|6 = 0) + P (s) (success|6 



1) 



(1 - g) s 
2 

(T - l) s 
2T S 



(13) 
(14) 



where the second-last line follows by mathematical in- 
duction on s fl7l ]. 

Assume now that Alice and Bob have agreed in ad- 
vance on a security threshold e <C 1, such that Eve's 
probability of success is restricted to slightly above ran- 
dom guessing, i.e., P^ (success) < 1/2 + e. This imme- 
diately implies that the plaintext b has to be encoded 



on 



s > 



l + log 2 (e) 



l°g 2 



v T > 



(15) 



qubits. Working on the right-hand side of this inequal- 
ity, we may derive a less tight, but simpler lower bound, 
namely 



s>T|l + log 2 (e)|. 



(16) 



Assuming our forward search attack is the optimal one, 
this condition is sufficient to thwart Eve's compound 
forward search attack on the randomized bit-encryption 
scheme. 



V. SUMMARY 

We have introduced the forward search attack in 
the framework of quantum-public-kcy encryption, which 
aims at recovering the plaintext from the ciphertext with- 
out reference to the structure of the particular encryp- 
tion scheme. As in the classical public-key setting, any 
deterministic encryption scheme that uses quantum pub- 
lic keys is susceptible to such an attack, unless some sort 
of randomization is used. 

Several quantum-public-key encryption schemes have 
been proposed, the three most notable ones appearing in 
Refs. The schemes in Refs. @, @ are random- 

ized, with nontrivial extensions to multiple-bit plaintexts, 
and thus they are not vulnerable to a forward search 
attack [l8j |. The scheme in Ref. @ is randomized in 
the way we have presented in Sec. IIV1 our work places 
that scheme in the wider cryptographic context. In terms 
of computational efficiency, we note that the schemes in 
Refs. [5, 6] require scalable quantum computing in order 
to be secure against our forward search attack, whereas 
the scheme in Ref. [9| requires only single-qubit rotations 
about a fixed axis. 
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For this to be true, the only assumption needed is that 
the set of ciphertexts of any such scheme is a subset of 
the computational basis, so that the outcome of a joint 
measurement with respect to the computational basis of 
the actual ciphertext and one copy of the test-ciphertext 
determines with certainty whether the two ciphertexts 
are identical. 

For a classical, computationally-secure scheme imple- 
mented quantum-mechanically, Eve can use arbitrarily 
large N so that her error is arbitrarily close to zero, as 
we would expect. 

ipdoaaf.ppnsists of two steps. First, it can be shown 
that Eg. holds for 8=1, i.e., P (1) (success) = [1 + 
(l — q)]/2. Second, assuming that Eq. (|13[) holds for s, one 
can show that it also holds for s + 1. In this last step, one 
needs basic identities of binomial coefficients, including 
E;=o 0) = 2" and Pascal's rule («) + (."J = 
The mere fact that a (qu)bit-encryption scheme is ran- 
domized is not necessarily enough for our forward search 
attack to be ineffective: if the amount of randomness is 
dependent on (i.e. limited by) the size of the plaintext, 
then the s-(qu)bit extension of the scheme may have to 
be used in order to get a secure bit-encryption scheme 
(even though the single-qubit-encryption scheme may be 
secure for uniformly random qubit-plaintext with respect 
to the Haar measure) , by encoding the intended plaintext 
b £ {0, 1} as the ciphertext that encodes the multi-qubit 
plaintext |6)® s , for some s > 1. 



